oss-sec mailing list archives
Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)
From: cve-assign () mitre org
Date: Wed, 27 May 2015 11:26:45 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
only exist if you build with DEBUG_ASN1
As suggested in the http://openwall.com/lists/oss-security/2014/01/29/10 post, unsafe programming practices reachable in non-default builds are not within the scope of CVE simply because the code exists. There must be documentation indicating that an end user may wish to have the applicable non-default build. As far as we know, MIT Kerberos 5 does not document DEBUG_ASN1 for use by end users. It seems reasonable to expect that those code sections are only intended for use during development, and that there's a cost/benefit tradeoff to addressing all possible risks to their developers' machines. There won't be a CVE mapping for this DEBUG_ASN1 report unless the upstream vendor requests one.
To: ... CVE ID Change <cve-id-change () mitre org>
This report doesn't relate to the cve-id-change () mitre org list. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVZeEwAAoJEKllVAevmvmsDj0H/R/JnY+GcIJkOvuq0qvJGqLm lgF5zU/AJ/CObyajMW7ELgdM6vcljix8WR0e8wtE87Hn1Feov1e7WzrP0gk0HaXr BTWzNmhkNj0wI65wYjhJ3QN4odQBl0I4lhnzjfJsADLEUuCeC/UqgGUokl4f7atB YlWgET5uHXhMTjrjFZT0Qgxzda03lC951bXX93pD1Z6c8uAjM0O2HFrAV1pdfO8D yxje1wh8jcPCJL74x9K2cuWa9Wrs/h/AA4ZS1naNb7yNnyHvEuE+uCRI82E3RgGe iqW7MlEqKJHTo4Vcgp7gCTF+oMW3OWRdbbg6OcK+0BXTGdxYknXKK24olk7e9Hc= =MUye -----END PGP SIGNATURE-----
Current thread:
- Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1) Kurt Seifried (May 26)
- Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1) cve-assign (May 27)